PWM – Open Source Password Self Service with OpenLDAP – Configuring PostgreSQL database
PWM – Open Source Password Self Service with OpenLDAP – Configuring PostgreSQL database
Settings required in Postgres:
In Postgres, Create a database named ‘pwm’.
# su – postgres
$ createdb pwm
$ exit
Create the following tables in Postgres required for PWM.
# psql pwm postgres
pwm=# CREATE table PWM_META (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
)
;
pwm=# CREATE table PWM_RESPONSES (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
)
;
pwm=# CREATE table USER_AUDIT (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
);
pwm=# CREATE table INTRUDER (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
);
pwm=# CREATE table TOKENS (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
)
;
pwm=# CREATE table OTP (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
);
pwm=# CREATE table PW_NOTIFY (
id VARCHAR(128) NOT NULL PRIMARY KEY,
value TEXT
);
In pg_hba.conf, add the following line:
host pwm postgres 127.0.0.1/32 trust
Save and exit from pg_hba.conf
Restart Postgresql
# service postgresql restart
Settings required in PWM:
Download the file “postgresql-8.4-703.jdbc3.jar” for PostgreSQL 8.4.20 or the right version depending on the version of Postgres from the site: https://jdbc.postgresql.org/download.html.
Upload this file in PWM, Settings->Database (Remote)->Connection->Upload File->Select the file and click upload.
Set Database class as: org.postgresql.Driver
Set Database connection string as: jdbc:postgresql://localhost/pwm
Set Database username : postgres
Save the Database password for user ‘postgres’.
Set Database vendor as ‘Other’.
Test the Database connection.
Save PWM settings and exit.
PWM – Open Source Password Self Service with OpenLDAP – User Interface – New User Registration
PWM – Open Source Password Self Service with OpenLDAP – User Interface – New User Registration
In the login screen, we get an option for ‘New User Registration’ if it has been enabled using ‘Configuration Manager’. In this section, we will see how to create a new user using this interface. Click on the ‘New User Registration’ option as shown in the figure below.
We get the following screen for ‘New User Registration’. We need to input the Login name, First name, Last name, Email address, New password and Confirm password. The login name has to be unique. All the fields are required in the following example. We have the option to configure what is required and what may be kept optional in the configuration settings. For each attribute, we may define certain characteristics based on the type of the attribute. Enter the required field values in the following screen.
When all the input fields have been filled, we get the following message: “Your account is ready to be created. Continue when ready.” Click on ‘Create’ button to continue.
If all the input fields have valid values, a unique security code is sent to the email address mentioned in the above form. You need to copy/enter the security code that is sent to the email address. Check your email, copy the code and enter in the text box in the screen shown below.
Once the security code has been entered, we see the screen as shown below. Click on ‘Check Code’ button to continue.
If security code entered above is correct, the user account is created in OpenLDAP and we get a confirmation message “Your new user account has been successfully created.” Click on ‘Continue’ and you will be logged out of the session. Try to log in with this newly created user account. Once you are logged in, you may edit this user profile and setup security questions for your account.
PWM – Open Source Password Self Service with OpenLDAP
PWM – Open Source Password Self Service with OpenLDAP
PWM is an open source password self service for OpenLDAP, Active Directory and other LDAP directories. It is a general purpose open source solution towards Password recovery solutions, so that we don’t have to write our own module for resetting and recovering user accounts and passwords. It is a web based application for recovering passwords for LDAP directories.
PWM download link is:
https://github.com/pwm-project/pwm/
When we login in the above screen, we get PWM User Interface for that user. It provides options to change one’s password, setup security questions, manage user profile etc. To have a detailed look on these available options, see this link:
https://code365.in/pwm-open-source-password-self-service-with-openldap-user-interface/
Recovery options that are available in the above screen are:
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Forgotten Password
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Forgotten Password
The login screen of Open Source Password Self Service is shown below. It provides recovery options to recover forgotten password, forgotten username, activate user account and also towards new user registration. In this section, we will see how to recover a forgotten password using ‘Forgotten Password’ option as shown in the following screen.
Forgotten Password:
When we click on ‘Forgotten Password’ option, the following screen is shown where in we need to type in Email Address and Last name of the user whose password, we wish to recover. Enter Email address and Last name of the user and click on Search button.
The next screen shows security questions for the given user. Depending upon what security questions have been configured using Configuration Manager, random questions are picked and shown as in the following figure.
If the answers to these security questions matches with the ones from the database, it sends a security code to the registered email – address. This procedure of sending security code needs to be configured first using Configuration Manager, also Email gateway has to be configured to enable sending and receiving mails using this interface. We assume all these settings have been correctly configured, a security code will be sent to the registered email address. You then need to copy the security code and paste it in the text box below Code as shown in the following figure.
Enter the Security code received on your email address as shown in the following figure and then click on ‘Check Code’ button.
If the security code is correct, then the next screen is shown as given below. It is ‘Change Password’ screen. You need to provide a new password to your account. The new password should meet the password policy requirements. These rules are shown in the screen. Also, if Auto generate random password option is enabled in Configuration Manager, then we have the option to generate a random password using the option ‘Auto generate a new Password’. Type in the new password as per the password policy and confirm the password in the next text box.
Once the entered password matches with the confirmed password, the message is shown “New password accepted, please click Change password.” The strength of the given password is shown next to New password text box, it is shown as ‘Strength: Strong’ in the figure given below. Also, next to Confirm password, a green tick mark indicates that the confirmed password matches with the given new password. Now we can click on ‘Change Password’ button, as shown below.
The following message is displayed – “Your password is being changed. This process may take several minutes, please be patient.”. Once it is done, logout and login with the new password that you have entered.
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Forgotten Username
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Forgotten Username
Forgotten Username:
The second option available in the Open Source Password Self Service login screen is towards recovering forgotten username. Forgotten Username may be used to find your forgotten username. Click on Forgotten Username option as shown in the following figure:
To recover Forgotten Username, we need to provide email address and last name of the user, whose username is to be recovered. Enter the Email address of the user, followed by his last name and then click on Search button as shown in the following figure.
If the email address and last name provided as an input in the above screen matches with a valid entry of the user, his username is retrieved and shown with the message: “Your username is pwm_ma050. Please record your username for future use’, as shown in the following figure.
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Activate Account
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Activate Account
In PWM, if Activate account option is enabled in ‘Configuration’ under ‘User Activation’ module, then we get ‘Activate Account’ option in the login screen as shown below. Here we will see about how to activate users’ account and setup a password to that account.
Click on ‘Activate Account’ option as shown in the following screen:
Enter Username that is the login name of the user that needs activation. Enter Username as shown in the following screen and click on ‘Activate’ button.
If User is found, we get the following message “Your user account has been successfully activated. Be sure to complete the process, or you will not be able to access to your account.”. It means, the account has been successfully activated and now we need to define a password for this account to be able to login further. Click on ‘Continue’ button.
Now we get the ‘Change Password’ screen, wherein we need to define a password to this account. The ‘Change Password’ screen shown the ‘Password Policy’ that is currently enforced as per PWM password policy settings. Type in a New password and Confirm password that is as per the given password policy.
If New Password is as per the given Password policy, and Confirm password is same as New password, we get the following message in blue highlighted text, “New password accepted, please click change password.’ Further, next to New password text field, we see green indicator with caption : ‘Strength: Strong’, it means the given password is strong as per the policy and a green check mark next to Confirm password, that means the confirm password is same as new password. Now click on ‘Change Password’ button.
We get the following screen with the confirmation message: “Your password is being changed. This process may take several minutes, please be patient.” Wait for a while and once it is done, the session logs out automatically. Once it is done, the user is activated and a password is defined successfully.
PWM – Open Source Password Self Service with OpenLDAP – User Interface – People Search
PWM – Open Source Password Self Service with OpenLDAP – User Interface – People Search
When we login in PWM, we get the following screen. The next option to discuss here is ‘People Search‘ option. This option is used to lookup contact information for your colleagues. We can search users and information about these users using this option.
The users may be searched on different keywords, like their login name, first name, last name, email address etc. The following screen shows how we can search users from this interface. Type in a keyword and click on Search button. If we type in ‘testuser’, then we get a list of users that match with ‘testuser’ string.
We can define the number of columns to be shown or hidden in this interface. In the following figure, we see a plus (+) icon on the right side of the table. If we click on this icon, we get a drop-down list containing some attributes, First Name, Last Name, Title, Email, Telephone. The checked attributes means that the fields are shown in the output table, the unchecked attribute means that it is not shown in the output table. We can check or uncheck the attributes we want to display or hide in the output table.
Back to PWM – Open Source Password Self Service with OpenLDAP – User Interface
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Account Information
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Account Information
When we login in PWM, we get the following screen. The next option to discuss here is ‘Account Information’ option. ‘Account Information’ provides information about our password and password policies. This option is useful, if we wish to review password policies, account details or password history.
Click on ‘Account Information’ in the above screen, and we get the following screen. The screen below shows three tabs. First tab is Account Information that shows various attributes as described below:
- Username: The current user login name.
- Password Expired: It is a flag that is True is the password has already expired and false otherwise.
- Password Pre-Expired: It is a flag that is True, if the password expire time is within the ‘preExpireTime’ setting and false otherwise.
- Within Warning Period: It is the period during which PWM warns the user that the password is going to expire in near future.
- Violates Password Policy: If the password is not as per Password policy, and it is set from outside PWM, this flag will show if password confirms to Password Policy or not.
- Password Set Time: It is the timestamp when the password is set for this user.
- Password Set Time Delta: It calculates the time difference when the password is set with respect to current time.
- Password Expiration Time: It is the date and time when the password is set to expire.
- Responses Stored: It is a flag that is true if the security responses are stored for this logged in user and false otherwise.
- Stored Responses Timestamp: It is the timestamp when the security responses are stored for the user.
- Network Address: It the IP of the machine and for this test machine it is 192.168.0.110
- Network Host: It is the hostname of the machine.
- Logout URL: If Logout URL is defined in ‘Configuration Manager’ of PWM, it shows what is configured as Logout URL. It is to set a destination url when user logs out of PWM.
URL to redirect user to upon logout. If the site is being accessed through a web authentication gateway, the Logout URL should be set to the gateway’s Logout URL. If you are using a gateway and do not include the proper logout URL here, then users will almost certainly get authentication errors, intruder lockouts and other problems. If things are working properly then the user should see the gateway logout screen when logging out.
The Logout URL can be set to any desired relative or absolute URL. At the time the user’s browser requests this url, the local session will have already been invalidated.
This setting can always be overridden for any given user session by adding a logoutURL parameter to any HTTP request during the session. - Forward URL: If Forward URL is defined in ‘Configuration Manager’ of PWM,, it shows what is configured as Forward URL. After completing any activity which does not require a logout, the user will be forwarded to this url.
This setting can always be overridden for any given user session by adding a forwardURL parameter to any HTTP request. If blank, the user will be forward to the application menu.
The Password Policy tab shows the password policy that is currently set using Configuration Manager settings in PWM. This policy may be defined as Local policy or LDAP policy or a combination of both. The rules that are enforced by this password policy are shown in the following figure:
The Password History tab shows timestamps for different events as shown in the following figure. These events are:
- Authentication
- Create Account
- Authentication
- Setup Password Responses
- Change Password
- Authentication
- Update Attributes
Back to PWM – Open Source Password Self Service with OpenLDAP – User Interface
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Shortcuts
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Shortcuts
When we login in PWM interface, we get the following screen. The fourth option available in this screen i s “Shortcuts”. We can define some “Personalized shortcuts”, that are direct links towards some static urls. We can even have direct links towards intranet or internet.
Clicking on “Shortcuts” option in the above screen, shows the following screen. In this example, two shortcuts are defined. These are direct links, called hyperlinks towards these 2 pages. First link is towards Google (Google Search) and second link is towards Yahoo (Yahoo Home Page). Similarly, using ‘Configuration Manager’ of PWM, we may create more hyperlinks per user, that are available from within PWM to provide direct access using these hyperlinks. Clicking on Google opens Google search page and clicking on Yahoo opens Yahoo home page. It all depends upon the user, how he organizes what should be readily available to him, and Shortcuts provides a mechanism to define such hyperlinks.
Back to PWM – Open Source Password Self Service with OpenLDAP – User Interface
PWM – Open Source Password Self Service with OpenLDAP – User Interface – Update Profile
The following screen is shown, that shows the input fields with their values. This screen is a confirmation screen, that shows the input values and an option to re-edit these values, we can click on Go Back, to go back to the previous screen, and then modify these input values. If everything is OK, click on Confirm button.
The following screen is shown with the message : “Your user information has been successfully updated.” Click on Continue to go back to Main Menu.
Back to PWM – Open Source Password Self Service with OpenLDAP – User Interface
